US11893110B2 - Attack estimation device, attack estimation method, and attack estimation program - Google Patents

Attack estimation device, attack estimation method, and attack estimation program Download PDF

Info

Publication number
US11893110B2
US11893110B2 US17/386,169 US202117386169A US11893110B2 US 11893110 B2 US11893110 B2 US 11893110B2 US 202117386169 A US202117386169 A US 202117386169A US 11893110 B2 US11893110 B2 US 11893110B2
Authority
US
United States
Prior art keywords
attack
compromise
log
abstract
tree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US17/386,169
Other versions
US20210357501A1 (en
Inventor
Hisashi Naito
Kiyoto Kawauchi
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Assigned to MITSUBISHI ELECTRIC CORPORATION reassignment MITSUBISHI ELECTRIC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NAITO, HISASHI, KAWAUCHI, KIYOTO
Publication of US20210357501A1 publication Critical patent/US20210357501A1/en
Application granted granted Critical
Publication of US11893110B2 publication Critical patent/US11893110B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2201/00Indexing scheme relating to error detection, to error correction, and to monitoring
    • G06F2201/86Event-based monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to an attack estimation device, an attack estimation method, and an attack estimation program in which a range of compromise from an attack on an analysis target system is estimated.
  • Non-Patent Literature 1 In order to deal with the occurrence of information security incidents, in addition to security analysis performed in advance on a system to be protected, a system configured to detect an attack that leads to a trouble over information assets in anticipation of contingencies is desired.
  • a technology of assisting in taking a countermeasure for detecting such an attack several technologies using an attack tree method have been proposed (see Non-Patent Literature 1, for example).
  • Those technologies of the related art may possibly be applied to accomplish attack detection and infection site identification based on an attack tree, by automatically generating a detection rule that corresponds to a measure of attack, namely, an attack tree in which indicators of compromise (IOC) are defined, and by using the indicators of compromise.
  • IOC indicators of compromise
  • Patent Literature 3 As one of methods of solving those problems, there has been proposed a related art that prevents erroneous omission of detection of a multistage attack by regarding, in an attack scenario for a multistage attack, an event that cannot be observed to be an observed event when events preceding and following that event are successfully observed (see Patent Literature 3, for example).
  • the present invention has been made to solve the problem described above, and an object thereof is to obtain an attack estimation device, an attack estimation method, and an attack estimation program with which indicators of an attack of an unknown pattern can be estimated.
  • an attack estimation device including: an attack tree storage unit configured to hold an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other; an abstract attack tree storage unit configured to hold an abstract attack tree in which the attack method and an abstract attack name that is obtained by increasing a level of abstraction of the attack method are associated with each other; a log check management information storage unit configured to hold log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and a prediction unit configured to predict, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information, wherein the prediction unit is configured to: identify, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree; determine that an attack of a known pattern has occurred as the attack when the indicators of
  • an attack estimation method including: a storage step of holding, in a storage unit, an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other, an abstract attack tree in which the attack method and an abstract attack name that is obtained by increasing a level of abstraction of the attack method are associated with each other, and log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and a prediction step of predicting, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information, wherein the prediction step includes: identifying, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree; determining that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and
  • an attack estimation program for causing a computer to execute: a storage step of holding, in a storage unit, an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other, an abstract attack tree in which the attack method and an abstract attack name that is obtained by increasing a level of abstraction of the attack method are associated with each other, and log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and a prediction step of predicting, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information, wherein the prediction step includes: identifying, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree; determining that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the
  • the attack estimation device it is possible to obtain the attack estimation device, the attack estimation method, and the attack estimation program with which the indicators of the attack of the unknown pattern can be estimated.
  • FIG. 1 is a diagram for illustrating a hardware configuration example of an attack estimation device according to a first embodiment of the present invention.
  • FIG. 2 is a diagram for illustrating a function configuration example of the attack estimation device according to the first embodiment of the present invention.
  • FIG. 3 is a flow chart for illustrating steps of creating data required to estimate indicators of a cyber attack in the attack estimation device according to the first embodiment of the present invention.
  • FIG. 4 is a table for showing a data structure of an attack tree held in an attack tree storage unit in the first embodiment of the present invention.
  • FIG. 5 is a table for showing a data structure of an abstract attack tree held in an abstract attack tree storage unit in the first embodiment of the present invention.
  • FIG. 6 is a table for showing a data structure of log check management information held in a log check management information storage unit in the first embodiment of the present invention.
  • FIG. 7 is a flow chart for illustrating a series of operation steps of an attack estimation method to be executed in the attack estimation device according to the first embodiment of the present invention.
  • FIG. 8 is a function configuration example of an attack estimation device according to a second embodiment of the present invention.
  • FIG. 9 is a table for showing a data structure of recovery measure information which is held in a recovery measure information storage unit in the second embodiment of the present invention and which associates recovery work with a work time.
  • the attack estimation device relates to a “device for estimating indicators of a cyber attack” that is capable of estimating indicators of a cyber attack of an unknown pattern.
  • “device for estimating indicators of a cyber attack” is simply referred to as “attack estimation device.”
  • FIG. 1 is a diagram for illustrating a hardware configuration example of an attack estimation device according to a first embodiment of the present invention.
  • a drive device 101 an auxiliary storage device 103 , a memory device 104 , a CPU 105 , and an interface device 106 are connected to one another by a bus B.
  • a program for implementing a series of processing steps of the attack estimation device 1 is provided on a recording medium 102 which is a CD-ROM or the like.
  • the recording medium 102 on which the program is stored is loaded in the drive device 101 , the program is installed in the auxiliary storage device 103 from the recording medium 102 via the drive device 101 .
  • the program is not always required to be installed with the use of the recording medium 102 , and may be downloaded from another computer via a network.
  • the auxiliary storage device stores the installed program, and also stores a required file, data, and the like.
  • the memory device 104 reads the program out of the auxiliary storage device 103 and stores the program when an instruction to activate the program is issued.
  • the CPU 105 which corresponds to a computer follows the program stored in the memory device 104 in executing functions of the attack estimation device 1 .
  • the interface device 106 is used as an interface for connecting to a network.
  • the attack estimation device 1 may be configured from a plurality of computers each of which has the hardware illustrated in FIG. 1 . That is, processing executed by the attack estimation device 1 may be distributed among a plurality of computers to be executed by the plurality of computers.
  • FIG. 2 is a diagram for illustrating a function configuration example of the attack estimation device 1 according to the first embodiment of the present invention.
  • the attack estimation device illustrated in FIG. 2 includes an attack tree generation processing unit 201 , an attack tree abstraction processing unit 202 , a soundness check processing unit 203 , an attack log prediction unit 204 , a system configuration information storage unit 205 , a vulnerability information storage unit 206 , an attack tree storage unit 207 , an abstract attack tree storage unit 208 , and a log check management information storage unit 209 .
  • FIG. 3 is a flow chart for illustrating steps of creating data required to estimate indicators of a cyber attack in the attack estimation device 1 according to the first embodiment of the present invention. The steps of creating, in advance, data required to estimate indicators of compromise from a cyber attack is described with reference to FIG. 3 .
  • the system configuration information storage unit 205 stores data in which information of a system that is a target of analysis is described.
  • the vulnerability information storage unit 206 stores data in which events that are threats to security are accumulated.
  • Step S 101 to Step S 103 described below corresponds to a storage step in which data required for attack estimation is stored in advance in the storage unit as a stage preceding attack estimation.
  • Step S 101 the attack tree generation processing unit 201 uses data stored in the system configuration information storage unit 205 and data stored in the vulnerability information storage unit 206 to generate an attack tree that associates a path of an attack, a facility expected to be attacked, an attack method, and vulnerability in an analysis target system with one another.
  • the attack tree generation processing unit 201 stores the generated attack tree in the attack tree storage unit 207 .
  • Patent Literatures 1 and 2 The processing of generating an attack tree and the processing of storing an attack tree can be accomplished by Patent Literatures 1 and 2 and Non-Patent Literature 2 cited as related-art literatures, and detailed descriptions thereof are therefore omitted.
  • FIG. 4 is a table for showing a data structure of an attack tree held in the attack tree storage unit 207 in the first embodiment of the present invention. As shown in FIG. 4 , pieces of data that are “ID”, “from”, “to”, “attack method”, “attack method ID”, and “indicators of compromise (IOC)” are associated with one another to be held as an attack tree in the attack tree storage unit 207 .
  • IOC indicator of compromise
  • a path of an attack and a facility expected to be attacked in an analysis target system are identified from pieces of information about “from” and “to” that are shown as an attack tree. Vulnerability of an attacked site is identified from “indicators of compromise (IOC)” shown as an attack tree.
  • IOC indicators of compromise
  • An attack tree derived by the attack tree generation processing unit 201 based on information of the system configuration information storage unit 205 and the vulnerability information storage unit 206 holds IOC being indicators of compromise as shown in FIG. 4 .
  • an entry for the ID “5” of FIG. 4 indicates that, when a threat from an attack using software vulnerability Z and an attack method that has “D4” as the attack method ID occurs from Facility A to Facility D, IOC thereof includes the name of software containing the vulnerability, a version, information of a file path serving as an indicator, and others.
  • IOC being indicators of compromise is a compilation of pieces of information left as indicators in a facility from an attack that uses one of the attack methods shown in FIG. 4 . Indicators of an attack that has a known pattern as those compiled in FIG. 4 can therefore be identified by referring to the indicators of compromise.
  • Step S 102 the attack tree abstraction processing unit 202 classifies the attack method of the attack tree held in the attack tree storage unit 207 into an attack item higher in the level of abstraction.
  • the attack tree abstraction processing unit 202 stores an abstract attack tree obtained through the classification in the abstract attack tree storage unit 208 .
  • FIG. 5 is a table for showing a data structure of an abstract attack tree held in the abstract attack tree storage unit 208 in the first embodiment of the present invention.
  • attack methods held in the attack tree storage unit 207 are classified into attack items higher in the level of abstraction, and stored as data shown in FIG. 5 .
  • pieces of data that are “abstract attack name,” “attack method ID list,” and “stage of the attack” are associated with one another to be held as an abstract attack tree in the abstract attack tree storage unit 208 as shown in FIG. 5 .
  • data of an attack tree held in the attack tree storage unit 207 is finely classified by the vulnerability of a facility and IOC provided for each attack method ID.
  • the attack tree abstraction processing unit 202 classifies an attack method into an attack item that is one level higher in the level of abstraction by, for example, classifying attack methods into stages of attack according to a cyber kill chain.
  • the cyber kill chain is a framework in which moves of an attacker, namely, stages of attack, are classified into stages. Specifically, moves of an attacker are classified into the following stages (processes): “reconnaissance”, “weaponization”, “delivery”, “exploitation”, “installation”, “remote manipulation (command and control: C & C)”, “lateral movement”, and “actions on objective”.
  • data corresponding to an attack method ID that is “D4” on the “attack method ID list” of FIG. 5 is stored with remote access as the “abstract attack name” and remote manipulation of the “stage of attack.”
  • the attack tree abstraction processing unit 202 defines, for each abstract attack name classified in the abstract attack tree storage unit 208 , a device for which the log is to be checked and a specific place in the log.
  • the attack tree abstraction processing unit 202 stores the defined data as log check management information in the log check management information storage unit 209 .
  • FIG. 6 is a table for showing a data structure of the log check management information held in the log check management information storage unit 209 in the first embodiment of the present invention.
  • the log check management information storage unit 209 pieces of data itemized as “device for which the log is to be checked” and “specific place in the log” are associated with “abstract attack name” to be stored as the log check management information.
  • the phrase “device for which the log is to be checked” means a device in which an indicator of an attack corresponding to the abstract attack name is likely to be left.
  • the “specific place in the log” defines a specific log item in the log of the “device for which the log is to be checked.”
  • FIG. 7 is a flow chart for illustrating a series of operation steps of an attack estimation method to be executed in the attack estimation device according to the first embodiment of the present invention.
  • Step S 201 to Step S 207 corresponds to a prediction step in which attack estimation is executed.
  • the soundness check processing unit 203 and the attack log prediction unit 204 which execute the processing of Step S 201 to Step S 207 correspond to the prediction unit.
  • Step S 201 the soundness check processing unit 203 receives a detection alert when a cyber attack occurs.
  • Step S 202 the soundness check processing unit 203 investigates whether there is IOC associated with a facility of an analysis target system, based on attack trees stored in the attack tree storage unit 207 .
  • IOC when there is a threat of occurrence of an attack using the software vulnerability Z from Facility A to Facility D, and IOC thereof includes the name of software containing the vulnerability, a version, information of a file path serving as an indicator, and others.
  • the soundness check processing unit 203 checks whether the IOC are present in Facility D. When the IOC are present in Facility D, that is, when indicators of compromise are successfully identified, it can be regarded that an attack of a tree in that place has been established.
  • Step S 203 the soundness check processing unit 203 accordingly determines whether IOC have successfully been identified as a result of the investigation.
  • the soundness check processing unit 203 determines that the attack is of a known pattern, not of an unknown pattern, and ends the series of processing steps.
  • the soundness check processing unit 203 determines that a known attack method is not established and that an attack of an unknown pattern has been delivered instead, and proceeds to processing of Step S 204 and subsequent steps.
  • Step S 204 the attack log prediction unit 204 identifies an abstract attack name for the relevant attack tree by referring to abstract attack trees stored in the abstract attack tree storage unit 208 .
  • Step S 205 the attack log prediction unit 204 identifies a “device for which the log is to be checked” and a “specific place in the log” by referring to a piece of the log check management information that is stored in the log check management information storage unit 209 in association with the “abstract attack name.” That is, the attack log prediction unit 204 identifies a “device for which the log is to be checked” as a device in which indicators of an attack of an unknown pattern are likely to be left, and identifies a “specific place in the log” in association with the identified device, to thereby predict a range of compromise by an attack of an unknown pattern.
  • the attack log prediction unit 204 can accordingly identify remote access as the “abstract attack name” by referring to an abstract attack tree shown in FIG. 5 .
  • the attack log prediction unit 204 can further identify a firewall as the “device for which the log is to be checked” that is relevant to remote access, and a transmission source/transmission destination address or a transmission destination port as the “specific place in the log” by referring to the log check management information shown in FIG. 6 .
  • the attack log prediction unit 204 estimates a time window of the log to be checked from preceding and following indicators on the attack tree. For example, an attack of the ID “5” which is assumed to be an attack of unknown pattern in FIG. 4 has the ID “6” and the ID “3” as preceding and following IDs on the attack tree. From information on timestamps of the IOC for the ID “6” and the IOC for the ID “3” that have been identified through investigation by the soundness check processing unit 203 , it can be estimated that the attack of the ID “5” has been delivered in a time window between the timestamps.
  • Step S 207 the attack log prediction unit 204 extracts, as a suspicious log, a log in the time window estimated in Step S 206 with respect to the “device for which the log is to be checked” that is associated with the abstract attack name, and ends the series of processing steps.
  • the attack estimation device 1 can predict a range of compromise from an attack for an attack of a base and an attack of an unknown pattern both by executing the series of processing steps illustrated in the flow chart of FIG. 7 .
  • the attack log prediction unit 204 can narrow down suspicious logs by cross-referencing logs in the time window with logs of a transmission source facility and a transmission destination facility that are estimated to have been attacked.
  • the attack log prediction unit 204 may use an “abnormal behavior detection technology” for determining whether there is a normal log that has a pattern different from a normal pattern, or a similar technology.
  • the attack estimation device can estimate indicators of an attack of an unknown pattern.
  • the attack estimation device can also avoid erroneously determining an attack for which IOC are not successfully identified in a path of attack of an attack tree as an attack of a known pattern.
  • FIG. 8 is a function configuration example of an attack estimation device 1 according to a second embodiment of the present invention.
  • the attack estimation device illustrated in FIG. 8 further includes, in addition to the components of FIG. 2 which are described above in the first embodiment, a recovery work identification unit 210 and a recovery measure information storage unit 211 .
  • the following description focuses on functions of the recovery work identification unit 210 and the recovery measure information storage unit 211 which are newly added components.
  • an infection site can be estimated in the event of cyber attacks including an attack of an unknown pattern.
  • recovery work is required to be performed in the range of compromise after estimation work is performed.
  • the description of the second embodiment therefore deals with the attack estimation device 1 that has an additional function of capable of predicting steps and a time that are required for recovery of the entire system, based on IOC of an estimated infection site.
  • the recovery measure information storage unit 211 is configured to hold contents of recovery work in the range of compromise and a recovery work time required for restoration, in relation to information defined in IOC of the attack tree storage unit 207 .
  • the recovery work time is a work time required for recovery to an original state when, for example, a registry is rewritten by an attack.
  • FIG. 9 is a table for showing a data structure of recovery measure information which is held in the recovery measure information storage unit 211 in the second embodiment of the present invention and which associates contents of recovery work with a recovery work time.
  • a recovery work time of recovery work having only one step that is recovery from regular backup may be defined as recovery measure information.
  • Reinstallation of installed software, initialization of an OS, rebooting of a device, and the like may be required depending on the type of attack. Times required for those types of work are defined in the recovery measure information storage unit 211 and the system configuration information storage unit 205 between which the defined times are distributed.
  • system configuration information storage unit 205 may hold software installed in each facility, facility performance information, a dependence relationship between facilities, and other types of data used in identification of a recovery work time.
  • the recovery work identification unit 210 is configured to refer to information stored in the system configuration information storage unit 205 , the attack tree storage unit 207 , and the recovery measure information storage unit 211 that is required to identify a recovery work time, in order to restore indicators of attacks including an attack of an unknown pattern that are identified through the series of processing steps in the foregoing first embodiment. Specifically, the recovery work identification unit 210 determines an order of executing recovery of facilities, shutdown of a dependent device, whether activation processing is required, and the like from a length of time required for restoration of IOC and from a dependence relationship between facilities.
  • the recovery work identification unit 210 can identify a recovery work time by the following steps.
  • a rule prescribing that, when restoration involving shutdown of one facility is executed, dependent facilities adjacent to the one facility in the graph be shut down first is set here.
  • the recovery work identification unit 210 can figure out recovery steps by deriving steps of restoring all facilities based on the directed graph which follows this rule, and identify the sum of restoration times in the recovery steps as a recovery work time.
  • the attack estimation device can not only estimate indicators of a cyber attack of an unknown pattern but also predict and identify a time required to recover from damage wrought by the attack from identified indicators of the attack.
  • the attack estimation devices according to the first and second embodiments described above are summarized as follows.
  • the attack estimation devices according to the first and second embodiments can identify a range of compromise from a sophisticated cyber attack on a corporation that is centered around a targeted attack, and can estimate work and a time that are required for recovery.
  • the attack estimation devices according to the first and second embodiments generate, in advance, an attack tree in which possible attack activities in an analysis target system and corresponding indicators of compromise are exhaustively described. After detecting an attack, the attack estimation devices according to the first and second embodiments identifies a path of attack by investigating indicators of an attack in each facility along the attack tree.
  • the attack estimation devices deal with attack activities for which IOC cannot be confirmed on the attack tree by identifying a log of a device, a time window, and a place in the log in which indicators of an attack are likely to be left, under the assumption that an attack of the same type and of an unknown pattern has been delivered.
  • the attack estimation device can identify a range of compromise even when an attack of an unknown pattern occurs.
  • the attack estimation device can estimate work and a time that are required for recovery of a range identified to be compromised, in addition to providing the effects of the attack estimation device according to the first embodiment.
  • attack estimation device 101 drive device, 102 recording medium, 103 auxiliary storage device, 104 memory device, 105 CPU, 106 interface device, 201 attack tree generation processing unit, 202 attack tree abstraction processing unit, 203 soundness check processing unit, 204 attack log prediction unit, 205 system configuration information storage unit, 206 vulnerability information storage unit, 207 attack tree storage unit, 208 abstract attack tree storage unit, 209 log check management information storage unit, 210 recovery work identification unit, 211 recovery measure information storage unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

An attack estimation device includes a storage unit configured to hold an attack tree, an abstract attack tree, and log check management information, and a prediction unit configured to predict, when a detection alert is received, a range of compromise from the attack by referring to the information in the storage unit. The prediction unit is configured to: determine that an attack of an unknown pattern has occurred as the attack when indicators of compromise that correspond to the attack are not successfully identified; identify an abstract attack name by referring to the abstract attack tree; and predict a range of compromise from the attack of an unknown pattern by identifying a device in which indicators of the attack of an unknown pattern are likely to be left, and by identifying a specific place in the log of the identified device, by referring to the log check management information.

Description

CROSS REFERENCE TO RELATED APPLICATIONS
This application is a Continuation of PCT International Application No. PCT/JP2019/010044, filed on Mar. 12, 2019, which is hereby expressly incorporated by reference into the present application.
TECHNICAL FIELD
The present invention relates to an attack estimation device, an attack estimation method, and an attack estimation program in which a range of compromise from an attack on an analysis target system is estimated.
BACKGROUND ART
Changes occurring in recent years in circumstances that surround corporations bring about a diversity of risks new in nature to corporations, and leakage of important information, unauthorized access, a system failure, and other information security incidents that may lead to a trouble over information assets are a frequent occurrence.
In order to deal with the occurrence of information security incidents, in addition to security analysis performed in advance on a system to be protected, a system configured to detect an attack that leads to a trouble over information assets in anticipation of contingencies is desired. As a technology of assisting in taking a countermeasure for detecting such an attack, several technologies using an attack tree method have been proposed (see Non-Patent Literature 1, for example).
In security analysis, an asset value of and threats to a target are clarified, and a countermeasure is taken preferentially for an element having a high risk value. For that purpose, an attack tree is used to systematically extract an attack sequence from system configuration information of the target. There is the related art that presents a risk reduction measure by deriving attack trees of attacks on the system and thus exhaustively finding out vulnerable places (see Patent Literature 1, for example).
There is also the related art in which a rule for checking correlation between alerts output by an intrusion detection system (IDS) is automatically created based on an attack tree created by a specialist, and alerts of the IDS that may apply to nodes on the attack tree are associated, to thereby create a rule (see Non-Patent Literature 2, for example). There is also the related art that automatically generates an attack tree for use in a penetration test (see Patent Literature 2, for example).
Those technologies of the related art may possibly be applied to accomplish attack detection and infection site identification based on an attack tree, by automatically generating a detection rule that corresponds to a measure of attack, namely, an attack tree in which indicators of compromise (IOC) are defined, and by using the indicators of compromise.
However, exhaustiveness of an attack tree is not perfect in many aspects, and an actual threat cannot be identified through analysis in some cases. For example, in the case of an attack that utilizes unfound vulnerability, a measure of the attack does not exist at the time of analysis, and the tree accordingly does not include a path of the attack.
As one of methods of solving those problems, there has been proposed a related art that prevents erroneous omission of detection of a multistage attack by regarding, in an attack scenario for a multistage attack, an event that cannot be observed to be an observed event when events preceding and following that event are successfully observed (see Patent Literature 3, for example).
CITATION LIST Patent Literature
  • [PTL 1] JP 5406195 B2
  • [PTL 2] US 9894090 B2
  • [PTL 3] JP 6000495 B2
Non Patent Literature
  • [NPL 1] B. Schneier: Attack trees: modeling security threats, Dr. Dobb's Journal, December 1999, URL: <https://www.schneier.com/academic/archives/1999/12/attack_trees.html>
  • [NPL 2] Godefroy, Erwan, et al. “Automatic generation of correlation rules to detect complex attack scenarios.” Information Assurance and Security (IAS), 2014 10th International Conference on. IEEE, 2014.
SUMMARY OF INVENTION Technical Problem
The related art, however, has the following problem.
As described above, with attack trees, identification of an attack and an infection site is possible only for known patterns of attack.
The present invention has been made to solve the problem described above, and an object thereof is to obtain an attack estimation device, an attack estimation method, and an attack estimation program with which indicators of an attack of an unknown pattern can be estimated.
Solution to Problem
According to one embodiment of the present invention, there is provided an attack estimation device including: an attack tree storage unit configured to hold an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other; an abstract attack tree storage unit configured to hold an abstract attack tree in which the attack method and an abstract attack name that is obtained by increasing a level of abstraction of the attack method are associated with each other; a log check management information storage unit configured to hold log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and a prediction unit configured to predict, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information, wherein the prediction unit is configured to: identify, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree; determine that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and predict the range of compromise from the identified indicators of compromise; determine that an attack of an unknown pattern has occurred as the attack when the indicators of compromise that correspond to the attack are unsuccessfully identified; identify, when determining that the attack of an unknown pattern has occurred, the abstract attack name by referring to the abstract attack tree; and predict the range of compromise from the attack of an unknown pattern by identifying the device for which the log is to be checked as a device in which indicators of the attack of an unknown pattern are likely to be left, and identifying a specific place in the log of the identified device, by referring to the identified abstract attack name and the log check management information.
Further, according to one embodiment of the present invention, there is provided an attack estimation method including: a storage step of holding, in a storage unit, an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other, an abstract attack tree in which the attack method and an abstract attack name that is obtained by increasing a level of abstraction of the attack method are associated with each other, and log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and a prediction step of predicting, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information, wherein the prediction step includes: identifying, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree; determining that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and predicting the range of compromise from the identified indicators of compromise; determining that an attack of an unknown pattern has occurred as the attack when the indicators of compromise that correspond to the attack are unsuccessfully identified; identifying, when it is determined that the attack of an unknown pattern has occurred, the abstract attack name by referring to the abstract attack tree; and predicting the range of compromise from the attack of an unknown pattern by identifying the device for which the log is to be checked as a device in which indicators of the attack of an unknown pattern are likely to be left, and by identifying a specific place in the log of the identified device, by referring to the identified abstract attack name and the log check management information.
Further, according to one embodiment of the present invention, there is provided an attack estimation program for causing a computer to execute: a storage step of holding, in a storage unit, an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other, an abstract attack tree in which the attack method and an abstract attack name that is obtained by increasing a level of abstraction of the attack method are associated with each other, and log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and a prediction step of predicting, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information, wherein the prediction step includes: identifying, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree; determining that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and predicting the range of compromise from the identified indicators of compromise; determining that an attack of an unknown pattern has occurred as the attack when the indicators of compromise that correspond to the attack are unsuccessfully identified; identifying, when it is determined that the attack of an unknown pattern has occurred, the abstract attack name by referring to the abstract attack tree; and predicting the range of compromise from the attack of an unknown pattern by identifying the device for which the log is to be checked as a device in which indicators of the attack of an unknown pattern are likely to be left, and by identifying a specific place in the log of the identified device, by referring to the identified abstract attack name and the log check management information.
Advantageous Effects of Invention
According to the present invention, it is possible to obtain the attack estimation device, the attack estimation method, and the attack estimation program with which the indicators of the attack of the unknown pattern can be estimated.
BRIEF DESCRIPTION OF DRAWINGS
FIG. 1 is a diagram for illustrating a hardware configuration example of an attack estimation device according to a first embodiment of the present invention.
FIG. 2 is a diagram for illustrating a function configuration example of the attack estimation device according to the first embodiment of the present invention.
FIG. 3 is a flow chart for illustrating steps of creating data required to estimate indicators of a cyber attack in the attack estimation device according to the first embodiment of the present invention.
FIG. 4 is a table for showing a data structure of an attack tree held in an attack tree storage unit in the first embodiment of the present invention.
FIG. 5 is a table for showing a data structure of an abstract attack tree held in an abstract attack tree storage unit in the first embodiment of the present invention.
FIG. 6 is a table for showing a data structure of log check management information held in a log check management information storage unit in the first embodiment of the present invention.
FIG. 7 is a flow chart for illustrating a series of operation steps of an attack estimation method to be executed in the attack estimation device according to the first embodiment of the present invention.
FIG. 8 is a function configuration example of an attack estimation device according to a second embodiment of the present invention.
FIG. 9 is a table for showing a data structure of recovery measure information which is held in a recovery measure information storage unit in the second embodiment of the present invention and which associates recovery work with a work time.
 DESCRIPTION OF EMBODIMENTS
Referring to the accompanying drawings, an attack estimation device, an attack estimation method, and an attack estimation program according to preferred embodiments of the present invention is now described. The attack estimation device according to the present invention relates to a “device for estimating indicators of a cyber attack” that is capable of estimating indicators of a cyber attack of an unknown pattern. In the following description, “device for estimating indicators of a cyber attack” is simply referred to as “attack estimation device.”
First Embodiment
FIG. 1 is a diagram for illustrating a hardware configuration example of an attack estimation device according to a first embodiment of the present invention. In an attack estimation device 1 according to the first embodiment which is illustrated in FIG. 1 , a drive device 101, an auxiliary storage device 103, a memory device 104, a CPU 105, and an interface device 106 are connected to one another by a bus B.
A program for implementing a series of processing steps of the attack estimation device 1 is provided on a recording medium 102 which is a CD-ROM or the like. When the recording medium 102 on which the program is stored is loaded in the drive device 101, the program is installed in the auxiliary storage device 103 from the recording medium 102 via the drive device 101.
The program, however, is not always required to be installed with the use of the recording medium 102, and may be downloaded from another computer via a network. The auxiliary storage device stores the installed program, and also stores a required file, data, and the like.
The memory device 104 reads the program out of the auxiliary storage device 103 and stores the program when an instruction to activate the program is issued. The CPU 105 which corresponds to a computer follows the program stored in the memory device 104 in executing functions of the attack estimation device 1. The interface device 106 is used as an interface for connecting to a network.
The attack estimation device 1 may be configured from a plurality of computers each of which has the hardware illustrated in FIG. 1 . That is, processing executed by the attack estimation device 1 may be distributed among a plurality of computers to be executed by the plurality of computers.
FIG. 2 is a diagram for illustrating a function configuration example of the attack estimation device 1 according to the first embodiment of the present invention. The attack estimation device illustrated in FIG. 2 includes an attack tree generation processing unit 201, an attack tree abstraction processing unit 202, a soundness check processing unit 203, an attack log prediction unit 204, a system configuration information storage unit 205, a vulnerability information storage unit 206, an attack tree storage unit 207, an abstract attack tree storage unit 208, and a log check management information storage unit 209.
FIG. 3 is a flow chart for illustrating steps of creating data required to estimate indicators of a cyber attack in the attack estimation device 1 according to the first embodiment of the present invention. The steps of creating, in advance, data required to estimate indicators of compromise from a cyber attack is described with reference to FIG. 3 . The system configuration information storage unit 205 stores data in which information of a system that is a target of analysis is described. The vulnerability information storage unit 206 stores data in which events that are threats to security are accumulated.
Processing of Step S101 to Step S103 described below corresponds to a storage step in which data required for attack estimation is stored in advance in the storage unit as a stage preceding attack estimation.
In Step S101, the attack tree generation processing unit 201 uses data stored in the system configuration information storage unit 205 and data stored in the vulnerability information storage unit 206 to generate an attack tree that associates a path of an attack, a facility expected to be attacked, an attack method, and vulnerability in an analysis target system with one another. The attack tree generation processing unit 201 stores the generated attack tree in the attack tree storage unit 207.
The processing of generating an attack tree and the processing of storing an attack tree can be accomplished by Patent Literatures 1 and 2 and Non-Patent Literature 2 cited as related-art literatures, and detailed descriptions thereof are therefore omitted.
FIG. 4 is a table for showing a data structure of an attack tree held in the attack tree storage unit 207 in the first embodiment of the present invention. As shown in FIG. 4 , pieces of data that are “ID”, “from”, “to”, “attack method”, “attack method ID”, and “indicators of compromise (IOC)” are associated with one another to be held as an attack tree in the attack tree storage unit 207.
A path of an attack and a facility expected to be attacked in an analysis target system are identified from pieces of information about “from” and “to” that are shown as an attack tree. Vulnerability of an attacked site is identified from “indicators of compromise (IOC)” shown as an attack tree.
An attack tree derived by the attack tree generation processing unit 201 based on information of the system configuration information storage unit 205 and the vulnerability information storage unit 206 holds IOC being indicators of compromise as shown in FIG. 4 .
To give an example, an entry for the ID “5” of FIG. 4 indicates that, when a threat from an attack using software vulnerability Z and an attack method that has “D4” as the attack method ID occurs from Facility A to Facility D, IOC thereof includes the name of software containing the vulnerability, a version, information of a file path serving as an indicator, and others.
IOC being indicators of compromise is a compilation of pieces of information left as indicators in a facility from an attack that uses one of the attack methods shown in FIG. 4 . Indicators of an attack that has a known pattern as those compiled in FIG. 4 can therefore be identified by referring to the indicators of compromise.
Next, in Step S102, the attack tree abstraction processing unit 202 classifies the attack method of the attack tree held in the attack tree storage unit 207 into an attack item higher in the level of abstraction. The attack tree abstraction processing unit 202 stores an abstract attack tree obtained through the classification in the abstract attack tree storage unit 208.
FIG. 5 is a table for showing a data structure of an abstract attack tree held in the abstract attack tree storage unit 208 in the first embodiment of the present invention. In the abstract attack tree storage unit 208, attack methods held in the attack tree storage unit 207 are classified into attack items higher in the level of abstraction, and stored as data shown in FIG. 5 .
Specifically, pieces of data that are “abstract attack name,” “attack method ID list,” and “stage of the attack” are associated with one another to be held as an abstract attack tree in the abstract attack tree storage unit 208 as shown in FIG. 5 .
As shown in FIG. 4 , data of an attack tree held in the attack tree storage unit 207 is finely classified by the vulnerability of a facility and IOC provided for each attack method ID. The attack tree abstraction processing unit 202, on the other hand, classifies an attack method into an attack item that is one level higher in the level of abstraction by, for example, classifying attack methods into stages of attack according to a cyber kill chain.
The cyber kill chain is a framework in which moves of an attacker, namely, stages of attack, are classified into stages. Specifically, moves of an attacker are classified into the following stages (processes): “reconnaissance”, “weaponization”, “delivery”, “exploitation”, “installation”, “remote manipulation (command and control: C & C)”, “lateral movement”, and “actions on objective”.
To give an example, data corresponding to an attack method ID that is “D4” on the “attack method ID list” of FIG. 5 is stored with remote access as the “abstract attack name” and remote manipulation of the “stage of attack.”
Next, in Step S103, the attack tree abstraction processing unit 202 defines, for each abstract attack name classified in the abstract attack tree storage unit 208, a device for which the log is to be checked and a specific place in the log. The attack tree abstraction processing unit 202 stores the defined data as log check management information in the log check management information storage unit 209.
FIG. 6 is a table for showing a data structure of the log check management information held in the log check management information storage unit 209 in the first embodiment of the present invention. In the log check management information storage unit 209, pieces of data itemized as “device for which the log is to be checked” and “specific place in the log” are associated with “abstract attack name” to be stored as the log check management information.
The phrase “device for which the log is to be checked” means a device in which an indicator of an attack corresponding to the abstract attack name is likely to be left. The “specific place in the log” defines a specific log item in the log of the “device for which the log is to be checked.”
Processing of estimating a cyber attack of an unknown pattern that is executed by the attack estimation device according to the first embodiment is described next with reference to FIG. 7 . FIG. 7 is a flow chart for illustrating a series of operation steps of an attack estimation method to be executed in the attack estimation device according to the first embodiment of the present invention.
Processing of Step S201 to Step S207 described below corresponds to a prediction step in which attack estimation is executed. The soundness check processing unit 203 and the attack log prediction unit 204 which execute the processing of Step S201 to Step S207 correspond to the prediction unit.
First, in Step S201, the soundness check processing unit 203 receives a detection alert when a cyber attack occurs.
Next, in Step S202, the soundness check processing unit 203 investigates whether there is IOC associated with a facility of an analysis target system, based on attack trees stored in the attack tree storage unit 207.
To give an example, in an entry for the ID “5” of FIG. 4 , when there is a threat of occurrence of an attack using the software vulnerability Z from Facility A to Facility D, and IOC thereof includes the name of software containing the vulnerability, a version, information of a file path serving as an indicator, and others. The soundness check processing unit 203 checks whether the IOC are present in Facility D. When the IOC are present in Facility D, that is, when indicators of compromise are successfully identified, it can be regarded that an attack of a tree in that place has been established.
In Step S203, the soundness check processing unit 203 accordingly determines whether IOC have successfully been identified as a result of the investigation. When a path of attack of an attack tree is established, that is, when IOC with which a path of attack is established are present, the soundness check processing unit 203 determines that the attack is of a known pattern, not of an unknown pattern, and ends the series of processing steps.
When IOC are not found for one path of attack of an attack tree, the soundness check processing unit 203 determines that a known attack method is not established and that an attack of an unknown pattern has been delivered instead, and proceeds to processing of Step S204 and subsequent steps.
In Step S204, the attack log prediction unit 204 identifies an abstract attack name for the relevant attack tree by referring to abstract attack trees stored in the abstract attack tree storage unit 208.
In Step S205, the attack log prediction unit 204 identifies a “device for which the log is to be checked” and a “specific place in the log” by referring to a piece of the log check management information that is stored in the log check management information storage unit 209 in association with the “abstract attack name.” That is, the attack log prediction unit 204 identifies a “device for which the log is to be checked” as a device in which indicators of an attack of an unknown pattern are likely to be left, and identifies a “specific place in the log” in association with the identified device, to thereby predict a range of compromise by an attack of an unknown pattern.
For example, an entry for the ID “5” of FIG. 4 has “D4” as the attack method ID. The attack log prediction unit 204 can accordingly identify remote access as the “abstract attack name” by referring to an abstract attack tree shown in FIG. 5 . The attack log prediction unit 204 can further identify a firewall as the “device for which the log is to be checked” that is relevant to remote access, and a transmission source/transmission destination address or a transmission destination port as the “specific place in the log” by referring to the log check management information shown in FIG. 6 .
Next, in Step S206, the attack log prediction unit 204 estimates a time window of the log to be checked from preceding and following indicators on the attack tree. For example, an attack of the ID “5” which is assumed to be an attack of unknown pattern in FIG. 4 has the ID “6” and the ID “3” as preceding and following IDs on the attack tree. From information on timestamps of the IOC for the ID “6” and the IOC for the ID “3” that have been identified through investigation by the soundness check processing unit 203, it can be estimated that the attack of the ID “5” has been delivered in a time window between the timestamps.
Next, in Step S207, the attack log prediction unit 204 extracts, as a suspicious log, a log in the time window estimated in Step S206 with respect to the “device for which the log is to be checked” that is associated with the abstract attack name, and ends the series of processing steps.
The attack estimation device 1 can predict a range of compromise from an attack for an attack of a base and an attack of an unknown pattern both by executing the series of processing steps illustrated in the flow chart of FIG. 7 .
When “from” and “to” of an attack method of FIG. 4 are different, that is, in the case of an attack on another device, the attack log prediction unit 204 can narrow down suspicious logs by cross-referencing logs in the time window with logs of a transmission source facility and a transmission destination facility that are estimated to have been attacked.
As a method of determining whether there is an unauthorized log by an attack of an unknown pattern, the attack log prediction unit 204 may use an “abnormal behavior detection technology” for determining whether there is a normal log that has a pattern different from a normal pattern, or a similar technology.
As described above, the attack estimation device according to the first embodiment can estimate indicators of an attack of an unknown pattern. The attack estimation device according to the first embodiment can also avoid erroneously determining an attack for which IOC are not successfully identified in a path of attack of an attack tree as an attack of a known pattern.
Second Embodiment
FIG. 8 is a function configuration example of an attack estimation device 1 according to a second embodiment of the present invention. The attack estimation device illustrated in FIG. 8 further includes, in addition to the components of FIG. 2 which are described above in the first embodiment, a recovery work identification unit 210 and a recovery measure information storage unit 211. The following description focuses on functions of the recovery work identification unit 210 and the recovery measure information storage unit 211 which are newly added components.
In the foregoing first embodiment, an infection site can be estimated in the event of cyber attacks including an attack of an unknown pattern. In actual running, however, recovery work is required to be performed in the range of compromise after estimation work is performed. The description of the second embodiment therefore deals with the attack estimation device 1 that has an additional function of capable of predicting steps and a time that are required for recovery of the entire system, based on IOC of an estimated infection site.
The recovery measure information storage unit 211 is configured to hold contents of recovery work in the range of compromise and a recovery work time required for restoration, in relation to information defined in IOC of the attack tree storage unit 207. The recovery work time is a work time required for recovery to an original state when, for example, a registry is rewritten by an attack.
FIG. 9 is a table for showing a data structure of recovery measure information which is held in the recovery measure information storage unit 211 in the second embodiment of the present invention and which associates contents of recovery work with a recovery work time. Instead of defining a plurality of recovery work times based on IOC, a recovery work time of recovery work having only one step that is recovery from regular backup may be defined as recovery measure information.
Reinstallation of installed software, initialization of an OS, rebooting of a device, and the like may be required depending on the type of attack. Times required for those types of work are defined in the recovery measure information storage unit 211 and the system configuration information storage unit 205 between which the defined times are distributed.
To give an example, the system configuration information storage unit 205 may hold software installed in each facility, facility performance information, a dependence relationship between facilities, and other types of data used in identification of a recovery work time.
The recovery work identification unit 210 is configured to refer to information stored in the system configuration information storage unit 205, the attack tree storage unit 207, and the recovery measure information storage unit 211 that is required to identify a recovery work time, in order to restore indicators of attacks including an attack of an unknown pattern that are identified through the series of processing steps in the foregoing first embodiment. Specifically, the recovery work identification unit 210 determines an order of executing recovery of facilities, shutdown of a dependent device, whether activation processing is required, and the like from a length of time required for restoration of IOC and from a dependence relationship between facilities.
For example, when the dependence relationship between facilities is expressed with a directed graph, the recovery work identification unit 210 can identify a recovery work time by the following steps. A rule prescribing that, when restoration involving shutdown of one facility is executed, dependent facilities adjacent to the one facility in the graph be shut down first is set here. The recovery work identification unit 210 can figure out recovery steps by deriving steps of restoring all facilities based on the directed graph which follows this rule, and identify the sum of restoration times in the recovery steps as a recovery work time.
As described above, the attack estimation device according to the second embodiment can not only estimate indicators of a cyber attack of an unknown pattern but also predict and identify a time required to recover from damage wrought by the attack from identified indicators of the attack.
Features of the attack estimation devices according to the first and second embodiments described above are summarized as follows. The attack estimation devices according to the first and second embodiments can identify a range of compromise from a sophisticated cyber attack on a corporation that is centered around a targeted attack, and can estimate work and a time that are required for recovery.
Specifically, the attack estimation devices according to the first and second embodiments generate, in advance, an attack tree in which possible attack activities in an analysis target system and corresponding indicators of compromise are exhaustively described. After detecting an attack, the attack estimation devices according to the first and second embodiments identifies a path of attack by investigating indicators of an attack in each facility along the attack tree.
In the case of an attack of an unknown pattern, there is a possibility of a failure to find IOC through an attack tree analysis beforehand and a resultant failure to identify the range of compromise. The attack estimation devices according to the first and second embodiments deal with attack activities for which IOC cannot be confirmed on the attack tree by identifying a log of a device, a time window, and a place in the log in which indicators of an attack are likely to be left, under the assumption that an attack of the same type and of an unknown pattern has been delivered.
As a result, the attack estimation device according to the first embodiment can identify a range of compromise even when an attack of an unknown pattern occurs. The attack estimation device according to the second embodiment can estimate work and a time that are required for recovery of a range identified to be compromised, in addition to providing the effects of the attack estimation device according to the first embodiment.
REFERENCE SIGNS LIST
1 attack estimation device, 101 drive device, 102 recording medium, 103 auxiliary storage device, 104 memory device, 105 CPU, 106 interface device, 201 attack tree generation processing unit, 202 attack tree abstraction processing unit, 203 soundness check processing unit, 204 attack log prediction unit, 205 system configuration information storage unit, 206 vulnerability information storage unit, 207 attack tree storage unit, 208 abstract attack tree storage unit, 209 log check management information storage unit, 210 recovery work identification unit, 211 recovery measure information storage unit

Claims (4)

The invention claimed is:
1. An attack estimation device, comprising:
an attack tree storage memory, which is non-transitory computer-readable memory, to hold an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other;
an abstract attack tree storage memory, which is non-transitory computer-readable memory, to hold an abstract attack tree in which the attack method and an abstract attack name that is obtained by generalizing the attack method are associated with each other;
a log check management information storage memory, which is non-transitory computer-readable memory, to hold log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and
a predicting circuitry to predict, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information,
wherein the predicting circuitry is configured to:
identify, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree;
determine that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and predict the range of compromise from the identified indicators of compromise;
determine that an attack of an unknown pattern has occurred as the attack when the indicators of compromise that correspond to the attack are unsuccessfully identified;
identify, when determining that the attack of the unknown pattern has occurred, the abstract attack name by referring to the abstract attack tree; and
predict the range of compromise from the attack of the unknown pattern by identifying the device for which the log is to be checked as a device in which indicators of the attack of the unknown pattern are anticipated, and identifying a specific place in the log of the identified device, by referring to the identified abstract attack name and the log check management information.
2. The attack estimation device according to claim 1, further comprising:
a recovery measure information storage memory, which is non-transitory computer-readable memory, to hold recovery measure information in which contents of recovery work in the range of compromise and a recovery work time are associated with each other; and
a recovery work identifying circuitry to identify the contents of recovery work and the recovery work time that are required for restoration of the range of compromise predicted by the predicting circuitry, by referring to the recovery measure information.
3. An attack estimation method, comprising:
a storage step of holding, in a storage memory, which is non-transitory computer-readable memory, an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other, an abstract attack tree in which the attack method and an abstract attack name that is obtained by generalizing the attack method are associated with each other, and log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and
a prediction step of predicting, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information,
wherein the prediction step includes:
identifying, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree;
determining that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and predicting the range of compromise from the identified indicators of compromise;
determining that an attack of an unknown pattern has occurred as the attack when the indicators of compromise that correspond to the attack are unsuccessfully identified;
identifying, when it is determined that the attack of the unknown pattern has occurred, the abstract attack name by referring to the abstract attack tree; and
predicting the range of compromise from the attack of the unknown pattern by identifying the device for which the log is to be checked as a device in which indicators of the attack of the unknown pattern are anticipated, and by identifying a specific place in the log of the identified device, by referring to the identified abstract attack name and the log check management information.
4. A non-transitory computer-readable medium storing an attack estimation program for causing a computer to execute:
a storage step of holding, in a non-transitory storage memory, an attack tree in which an attack method assumed in advance in an analysis target system and indicators of compromise are associated with each other, an abstract attack tree in which the attack method and an abstract attack name that is obtained by generalizing the attack method are associated with each other, and log check management information in which the abstract attack name, a device for which a log is to be checked, and a specific place in the log are associated with one another; and
a prediction step of predicting, when a detection alert informing of occurrence of an attack on the analysis target system is received, a range of compromise from the attack by referring to the attack tree, the abstract attack tree, and the log check management information,
wherein the prediction step includes:
identifying, when the detection alert is received, the indicators of compromise that correspond to the attack by referring to the attack tree;
determining that an attack of a known pattern has occurred as the attack when the indicators of compromise that correspond to the attack are successfully identified, and predicting the range of compromise from the identified indicators of compromise;
determining that an attack of an unknown pattern has occurred as the attack when the indicators of compromise that correspond to the attack are unsuccessfully identified;
identifying, when it is determined that the attack of the unknown pattern has occurred, the abstract attack name by referring to the abstract attack tree; and
predicting the range of compromise from the attack of the unknown pattern by identifying the device for which the log is to be checked as a device in which indicators of the attack of the unknown pattern are anticipated, and by identifying a specific place in the log of the identified device, by referring to the identified abstract attack name and the log check management information.
US17/386,169 2019-03-12 2021-07-27 Attack estimation device, attack estimation method, and attack estimation program Active 2040-01-30 US11893110B2 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/010044 WO2020183615A1 (en) 2019-03-12 2019-03-12 Attack estimation device, attack control method, and attack estimation program

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/010044 Continuation WO2020183615A1 (en) 2019-03-12 2019-03-12 Attack estimation device, attack control method, and attack estimation program

Publications (2)

Publication Number Publication Date
US20210357501A1 US20210357501A1 (en) 2021-11-18
US11893110B2 true US11893110B2 (en) 2024-02-06

Family

ID=72427354

Family Applications (1)

Application Number Title Priority Date Filing Date
US17/386,169 Active 2040-01-30 US11893110B2 (en) 2019-03-12 2021-07-27 Attack estimation device, attack estimation method, and attack estimation program

Country Status (4)

Country Link
US (1) US11893110B2 (en)
JP (1) JP6918269B2 (en)
CN (1) CN113544676A (en)
WO (1) WO2020183615A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7427574B2 (en) 2020-11-30 2024-02-05 株式会社日立製作所 Condition diagnosis device and condition diagnosis method
CN112887303B (en) * 2021-01-25 2022-09-30 中国人民解放军92493部队参谋部 Series threat access control system and method
WO2023223515A1 (en) * 2022-05-19 2023-11-23 日本電信電話株式会社 Attack path estimation system, attack path estimation device, attack path estimation method, and program

Citations (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009047113A1 (en) 2007-10-10 2009-04-16 Telefonaktiebolaget Lm Ericsson (Publ) Apparatus for reconfiguration of a technical system based on security analysis and a corresponding technical decision support system and computer program product
US20130318616A1 (en) * 2012-05-23 2013-11-28 International Business Machines Corporation Predicting attacks based on probabilistic game-theory
US9438623B1 (en) * 2014-06-06 2016-09-06 Fireeye, Inc. Computer exploit detection using heap spray pattern matching
JP6000495B2 (en) 2014-02-26 2016-09-28 三菱電機株式会社 Attack detection device, attack detection method, and attack detection program
US20180004942A1 (en) * 2016-06-20 2018-01-04 Jask Labs Inc. Method for detecting a cyber attack
US20180004958A1 (en) * 2016-07-01 2018-01-04 Hewlett Packard Enterprise Development Lp Computer attack model management
US9894090B2 (en) 2015-07-14 2018-02-13 Sap Se Penetration test attack tree generator
US20180322283A1 (en) * 2015-06-17 2018-11-08 Accenture Global Services Limited Event anomaly analysis and prediction
US20190132344A1 (en) * 2016-12-16 2019-05-02 Patternex, Inc. Method and system for employing graph analysis for detecting malicious activity in time evolving networks
US20190222604A1 (en) * 2018-01-12 2019-07-18 Vimal Vaidya Method and apparatus for measuring and predicting threat responsiveness
US20190238583A1 (en) * 2018-01-31 2019-08-01 Vimal Vaidya Method and system for generating stateful attacks
US10530810B2 (en) * 2014-09-30 2020-01-07 Palo Alto Networks, Inc. Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network
US20200137084A1 (en) * 2018-10-25 2020-04-30 EMC IP Holding Company LLC Protecting against and learning attack vectors on web artifacts
US20200336497A1 (en) * 2019-04-18 2020-10-22 International Business Machines Corporation Detecting sensitive data exposure via logging

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4265163B2 (en) * 2002-07-18 2009-05-20 ソニー株式会社 Network security system, information processing apparatus, information processing method, and computer program
JP2005085158A (en) * 2003-09-10 2005-03-31 Toshiba Corp Improper access detector, and abnormal data detecting method over computer network
JP5264470B2 (en) * 2008-12-26 2013-08-14 三菱電機株式会社 Attack determination device and program
EP2947595A4 (en) * 2013-01-21 2016-06-08 Mitsubishi Electric Corp Attack analysis system, coordination device, attack analysis coordination method, and program
CA2981864A1 (en) * 2015-04-10 2016-10-13 PhishMe, Inc. Suspicious message processing and incident response
US10609079B2 (en) * 2015-10-28 2020-03-31 Qomplx, Inc. Application of advanced cybersecurity threat mitigation to rogue devices, privilege escalation, and risk-based vulnerability and patch management
US10193906B2 (en) * 2015-12-09 2019-01-29 Checkpoint Software Technologies Ltd. Method and system for detecting and remediating polymorphic attacks across an enterprise
JP6774881B2 (en) * 2016-05-18 2020-10-28 株式会社日立製作所 Business processing system monitoring device and monitoring method
CN106375339B (en) * 2016-10-08 2019-07-09 电子科技大学 Attack mode detection method based on event sliding window
CN107046543A (en) * 2017-04-26 2017-08-15 国家电网公司 A kind of threat intelligence analysis system traced to the source towards attack
CN109067815B (en) * 2018-11-06 2021-11-19 深信服科技股份有限公司 Attack event tracing analysis method, system, user equipment and storage medium

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009047113A1 (en) 2007-10-10 2009-04-16 Telefonaktiebolaget Lm Ericsson (Publ) Apparatus for reconfiguration of a technical system based on security analysis and a corresponding technical decision support system and computer program product
JP5406195B2 (en) 2007-10-10 2014-02-05 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Apparatus for reconfiguring a technical system based on security analysis, and corresponding technical decision support system and computer program product
US20130318616A1 (en) * 2012-05-23 2013-11-28 International Business Machines Corporation Predicting attacks based on probabilistic game-theory
US9916445B2 (en) 2014-02-26 2018-03-13 Mitsubishi Electric Corporation Attack detection device, attack detection method, and non-transitory computer readable recording medium recorded with attack detection program
JP6000495B2 (en) 2014-02-26 2016-09-28 三菱電機株式会社 Attack detection device, attack detection method, and attack detection program
US9438623B1 (en) * 2014-06-06 2016-09-06 Fireeye, Inc. Computer exploit detection using heap spray pattern matching
US10530810B2 (en) * 2014-09-30 2020-01-07 Palo Alto Networks, Inc. Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network
US20180322283A1 (en) * 2015-06-17 2018-11-08 Accenture Global Services Limited Event anomaly analysis and prediction
US9894090B2 (en) 2015-07-14 2018-02-13 Sap Se Penetration test attack tree generator
US20180004942A1 (en) * 2016-06-20 2018-01-04 Jask Labs Inc. Method for detecting a cyber attack
US20180004958A1 (en) * 2016-07-01 2018-01-04 Hewlett Packard Enterprise Development Lp Computer attack model management
US20190132344A1 (en) * 2016-12-16 2019-05-02 Patternex, Inc. Method and system for employing graph analysis for detecting malicious activity in time evolving networks
US20190222604A1 (en) * 2018-01-12 2019-07-18 Vimal Vaidya Method and apparatus for measuring and predicting threat responsiveness
US20190238583A1 (en) * 2018-01-31 2019-08-01 Vimal Vaidya Method and system for generating stateful attacks
US20200137084A1 (en) * 2018-10-25 2020-04-30 EMC IP Holding Company LLC Protecting against and learning attack vectors on web artifacts
US20200336497A1 (en) * 2019-04-18 2020-10-22 International Business Machines Corporation Detecting sensitive data exposure via logging

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
Godefroy et al., "Automatic generation of correlation rules to detect complex attack scenarios", Information Assurance and Security (IAS), 2014 10th International Conference on. IEEE, 2014, Total 7 pages.
Japanese Office Action for application No. 2021-504681 dated Apr. 27, 2021.
Schneier, "Attach trees: modeling security threats", Dr. Dobb's Journal, Dec. 1999, pp. 1-9.

Also Published As

Publication number Publication date
US20210357501A1 (en) 2021-11-18
JP6918269B2 (en) 2021-08-11
JPWO2020183615A1 (en) 2021-09-13
WO2020183615A1 (en) 2020-09-17
CN113544676A (en) 2021-10-22

Similar Documents

Publication Publication Date Title
US11893110B2 (en) Attack estimation device, attack estimation method, and attack estimation program
CN109922075B (en) Network security knowledge graph construction method and device and computer equipment
US8984331B2 (en) Systems and methods for automated memory and thread execution anomaly detection in a computer network
US8621624B2 (en) Apparatus and method for preventing anomaly of application program
US20140053267A1 (en) Method for identifying malicious executables
US20130239214A1 (en) Method for detecting and removing malware
US20170061126A1 (en) Process Launch, Monitoring and Execution Control
CN112685682B (en) Method, device, equipment and medium for identifying forbidden object of attack event
US9659173B2 (en) Method for detecting a malware
EP3337106B1 (en) Identification system, identification device and identification method
Vaidya et al. Security issues in language-based software ecosystems
CN113761519B (en) Method and device for detecting Web application program and storage medium
US20170155683A1 (en) Remedial action for release of threat data
CN111524007A (en) Embedded intrusion detection method and device for intelligent contract
CN111542811B (en) Enhanced network security monitoring
JP7019533B2 (en) Attack detection device, attack detection system, attack detection method and attack detection program
CN102073818A (en) Vulnerability detection equipment and method
CN113872959A (en) Risk asset grade judgment and dynamic degradation method, device and equipment
US10880316B2 (en) Method and system for determining initial execution of an attack
CN117081818A (en) Attack transaction identification and interception method and system based on intelligent contract firewall
CN109785537B (en) Safety protection method and device for ATM
CN113660223B (en) Network security data processing method, device and system based on alarm information
CN113904920B (en) Network security defense method, device and system based on collapse equipment
KR20180044507A (en) Network recovery system in advanced persistent threat
WO2019180989A1 (en) Hearing system, threat response system, method, and program

Legal Events

Date Code Title Description
AS Assignment

Owner name: MITSUBISHI ELECTRIC CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:NAITO, HISASHI;KAWAUCHI, KIYOTO;SIGNING DATES FROM 20210528 TO 20210621;REEL/FRAME:056993/0627

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE